Email verification for Enterprise users

Hello @mcrawshaw,

Welcome to the Community! If the identity provider is an OIDC provider (e.g., Google), you should get email_verified in the security token from the provider. If it is a SAML provider, you have a couple options:

  1. Have the provider add an email_verified claim to the SAML assertion,
  2. Map some other value to email_verified.

We went with the second option. From what I can tell, because email_verified is a boolean, you can map any truthy value to it. For example, we are mapping the nameidentifier field to email_verified:

{
    "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email_verified": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
}

We know our 3rd party provider will always provide a valid nameidentifier, which in this case happens to be the user’s email address, so by mapping that string to email_verified, we get email_verified set to true at account creation time. I am submitting feedback to Auth0 to allow us to edit email_verified for Enterprise users.

5 Likes